Adding SSH private key gives error that 0644 permissions are too open

I have a generated a ssh private key .key. I want to add it into my ssh in Mac to connect to a remote server, I have only known_hosts file in ~/.ssh directory.

When I try to add it using this command:

ssh-add -K ~/.ssh/myKey.ppk

I get this error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/username/.ssh/myKey.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

Solution 1:

The error message is displayed because the file permission are set such that it is readable by other users apart from the logged-in user. To overcome the error message, you will need to change the file permissions for the private key such that it is readable only by you.

To do that, run the following command in Terminal:

cd ~/.ssh ; chmod 400 myKey.ppk

This will allow only your user to read (and not write and execute) the private key file and prevent everyone else from reading, writing and executing the file.

This will take care of the error message shown to you and you should be able to add the private key file all right.

Solution 2:

Go to the terminal and type this command:

chmod 0600 ~/.ssh/myKey.ppk

That should be fine.

Solution 3:

While changing the permissions of the .ppk file will indeed make this warning go away, I would recommend to disable group/others access to .ssh directory altogether:

cd ~
chmod g-rwx .ssh
chmod o-rwx .ssh

Otherwise, with insecure permissions on your home directory, other users could place files (like authorized_keys) in your .ssh directory, or mess with known_hosts, or change config items, and gain access that way - without having to know either your password or your private key.

Secondly, in a multi-user environment it would be dubious practice just to retroactively restrict permissions to a key. If a private key has been world-readable on a multi-user system at any given time, it should be considered as already compromised.

Solution 4:

it looks like you copied your private key from Windows or from other computer where you used PuTTY. Unfortunately, the ssh command-line tool does not support this key format and therefore you have two options:

  • Install PuTTY again (it should exist also on your mac)
  • Convert the private key from PuTTY file format to the OpenSSH format (again using PuTTYGen from PuTTY as already described in my previous answer:

    • Open PuttyGen
    • Click Load
    • Load your private key
    • Go to Conversions->Export OpenSSH and export your private key
    • Copy your private key to ~/.ssh/id_rsa

If you still see the issues using the new exported key (~/.ssh/id_rsa, make sure that the key is not readable by anyone else but you (it is your private key) by removing all the privileges of all the others by running chmod 600 ~/.ssh/id_rsa.